Edge Compute Needs Unikernels and It Needs Them Now

Securing IoT (Internet of Things) is a known challenge. Device proliferation is exceeding at a rate that is hard to quantify. Almost every day we are starting to hear new stories about sensors attached to almost anything that’s worth measuring—which apparently is everything. Let’s face it though, slapping Linux on an ARM chip and hoping that someone doesn’t find the public IP on the gateway it’s talking through is a real challenge. After all there’s only 4 billion public IPs available and we now have software that scans the entire Internet in a single day every single day.

However, for those organizations that are starting to embrace edge computing it’s a completely different ballgame. The difference between edge compute and traditional IoT is that the latter is mostly composed of ‘dumb’ sensors or read-and-feed type of devices, while edge actually pushes the software that does all the interesting things to the actual edge rather than some cloud or private datacenter.

There is now software that is being installed in buildings such as high schools throughout the U.S. that can spot pistols and rifles that people are carrying in areas they might not be allowed to carry. This software is not backed by humans sitting and looking at a bajillion CCTV cameras—after all that is completely unscalable. It is software that can ‘see’ and apparently is so good now that it can understand the difference between a plastic water gun and a true Glock. What’s more, this software then can take action by alerting someone at the actual physical location in realtime.

What’s the catch? The catch is now that this software needs to be sitting at the edge—inside the physical premise to have the most effect. How does one manage the software? Let me paint the numbers for you. There’s something like 98,000 schools in the U.S., if you include elementary schools. There’s another 7,000 public and private colleges in the U.S. Some schools are conservatively installing about 100 cameras per school, while others have put in more than 1,500 at a single school—in a single building. No human can deal with all of that. Not even a team of humans could. However, if you’re talking about high-def video, try pushing all of that back live over your internet connection. Go ahead, I’ll wait. This is precisely why the software that can in realtime analyze the footage needs to be installed at the premise. This is the edge and we’ve only touched on one example of it.

These are very challenging needs when you realize a school system like the New York City Dept. of Education has more than 1,700 public schools under its supervision. It’s one thing if you’re a technology company in Silicon Valley and all of your software resides on the public cloud in one of Amazon’s private fully-staffed datacenters—Amazon also happens to employ north of 20,000 engineers. It’s another thing when you need to replicate the same reliability, response time, security, and manageability of this over this footprint at scale.

Edge compute needs unikernels and it needs them now. Linux is entirely insufficient for the edge. Linux is a monolithic operating system that is explicitly designed to run multiple programs including those controlled by attackers while unikernels are designed to only run one program per VM (virtual machine) effectively putting an end to remote code execution attacks and the massive build-up of botnets. Likewise, unikernels don’t have the concept of being able to remotely log in to them like Linux and Windows do. They don’t even have the concept of usernames and passwords because it’s not needed. This is important not just from a security perspective, but also just from a sheer “how do I manage this at scale?” perspective.

It’s a connected society and we already know how bad IoT security is. If we want to embrace the benefits of edge compute then we need to embrace unikernels as the de-facto system for managing compute at the edge.

Ian Eyberg is CEO of NanoVMs. He is a self-taught expert in computer science, specifically operating systems and mainstream security.